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(54) Abstract Title 

Aggregation of log data from different operating systems into a central data log 

(57) Apparatus and methods for maintaining a centralized data log [1051 for a distributed computer system 
[1001 utilizing more than one type of operating system (125,135,1651. The present patent document discloses 
techniques for transferring and storing log data [3001 across different platforms and the aggregation of that log 
data 13001 into one location wherein the processes detecting the log data (3001 are executed by operating 
systems [125,135,1651 which are not limited to being of the same type. Thus, this aggregation mechanism is 
designed to allow multiple processes [130,1601 operating on diverse kinds of systems (140,1701 to log to a 
central system [1151, which itself may be on any kind of system. An administrator can monitor from a single 
source the operation of a distributed computer system [100], as for example a distributed management tool, 
whose components may be distributed across a network (1901 and operating on multiple, geographically 
dispersed computers (140 J701. 
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AGGREGATION OF LOG DATA INTO 
CENTRALIZED DATA LOG 

FIELD OF THE INVENTION 

The present invention relates generally to networks of computer systems and. 
more particularly, to the logging of information regarding the activities of the system. 

BACKGROUND OF THE INVENTION 

In order to monitor the progress of any system, it is desirable to have information 
about the activities of the system. Such infomiation, provided in a manner which collects 
> it over time into one location is called a log. The advent of distributed systems operating 
on networks, in particular the Internet, has presented new difficulties due to the fact that 
each individual system maintdns its own separate, local log. Thus, in order to investigate 
operation of the system as a whole, system administrators have been forced to open and 
read several different logs. The system administrator's job is made especially difficult 
to in trying to correlate the timing of several events which were recorded in differing logs. 
As an added complication, some of tiiese Jogs may be stored on computers remotely 
located from tiie system administrator. In addition, format of the various logs may differ 
from one anotiier, as well as ttje platforms on which the logs are stored. 

A utility available on UNIX systems is Syslog which allows multiple dispersed 
25 components to log to a single system. However since it is UNIX only. Syslog does not 
permit systems having operating systems other than UNIX to vmte to a common log. 

Thus, there is a need, in environments made up of multiple components which 
operate semi-autonomously, to have tiie log information generated by these components 
collected into a centrally located log which can be easily accessed by the system 
30 administrator. 



SUMMARY OF THE INVENTION 



The present patent document discloses techniques for aggregating log data in a 
distributed system. Previous methods for storing log data have either relied upon 
maintaining individual logs for each individual process on the local system or a central 
log for distributed systems wherein each individual system is executed by the same type 
operating system. 

Disclosed in various embodiments are apparatus and methods for gathering event 
data by a process executed by an operating system on a computer system, transferring 
that data to a logging process executed by an operating system on another computer 
system wherein the logging process operating system is intrinsically different firom the 
operating system of the process that detected the event, and storing that data in a data log 
on the logging process computer system. Provision is also made for gathering, 
transferring, and storing event data for processes running on the computer system on 
which the data log is located, A representative data structure for the entries in the data 
log is also disclosed. 

The disclosures of the present patent document provide two primary advantages 
over the prior art: (1) logging of log data across different platforms and (2) aggregation 
of log data into one location. This aggregation mechanism is designed to allow multiple 
elements operating on diverse kinds of systems to log to a central system, which itself 
may be on any kind of system. An administrator can monitor the operation of a 
distributed system, as for example a distributed management tool, whose components 
may be distributed across a network and operating on multiple, geogrq>hically dispersed 
computers. 

Other aspects and advantages of the present invention will become apparent from 
the following detailed description, taken in conjunction with the accompanying drawings, 
illustrating by way of example the principles of the invention. 



BRIEF DESCRIFHON OF THE DRAWINGS 



The accompanying drawings provide visual representations which will be used 
to more fully describe the invention and can be used by those skilled in the art to better 
5 understand it and its inherent advantages. In these drawings, like reference numerals 
identify corresponding elements and: 

Figure 1 is a drawing of a distributed computer system having a centralized data 
log as described in various representative embodiments of the present patem document. 

1 0 Figure 2 is a drawing of another distributed computer system having centralized 

data log as described in various representative embodiments of the present patent 
document. 

Figure 3 is a drawing of an entry for a data structure for the centralized data log 
as described in various representative embodiments of the present patent document 
15 Figure 4 is a flow chart of a method for writing to the centralized data log of 

figure 1 as described in various representative embodiments of the present patent 
docxmient. 
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DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

As shown in the drawings for purposes of illustration, the present patent 
document relates to a novel method for aggregating log data in a distributed system, 
5 Previous methods for storing log data for distributed systems have either relied upon 
maintaining individual logs for each individual process on its own local system or a 
central log wherein each individual system which accumulates log data is executed by 
a member of the same operating system family. Embodiments disclosed herein are not 
limited by such constraints. In particular, a process accumulating event data for storage 
10 in the central log may be running, not only on a remote computer, but also on an 
operating system which differs significantly from the operating system of the logging 
process. Other processes which accumulate such event data in the distributed system 
may be further executed by operating systems of even different families or types. In the 
following detailed description and in the several figures of the drawings, like elements 
1 5 are identified with like reference numerals. 

Figure 1 is a drawing of a distributed computer system 100 having a centralized 
data log 105 as described in various representative embodiments of the present patent 
document. In a first preferred embodiment as shown in figure 1 , the centralized data log 
105, also referred to herein as the data log 105, is stored in a computer memory 110, also 
20 referred to herein as a computer readable memory device 110, on a log computer system 
115. A log process 120, also referred to herein as a log program 120, executed by a log 
operating system 125 stores data in the data'log 105. A first computer process 130, also 
referred to herein as a first computer program 130, is executed by a first operating system 
135 on a first computer system 140. The log operating system 125 may differ 
25 intrinsically in type from the first operating system 135. When the first computer process 
130 detects a first event 145 not shown in figure 1, the first computer process 130 
transmits description of the first event 145 as a first event description 150 to the log 
process 120 via a network 190. However, it is possible that means other than the network 
190 could be used to transmit the first event description 150 to the log process 120, as for 
30 example storing data on a magnetic disk and physically transferring the disk to the log 
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computer system 115. The log process 120 stores the first event description 150 in the 
data log 105. In the first preferred embodiment, the log operating system 125 is 
intrinsically different from the first operating system 135. It is also possible, that the 
computer memory 110 comprising the data log 105 could be physically located on a 
computer system located remotely from the log computer system 115. 

Also shown in figure 1 is a second computer process 160. also referred to herein 
as a second computer program 160, executed by a second operating system 165 on a 
second computer system 170. The log operating system 125 may or may not intrinsically 
differ in type from the second operating system 165, and the second operating system 165 
may or may not intrinsically differ in type from the first operating system 135. When the 
second computer process 160 detects a second event 175 not shovm in figure 1. the 
second computer process 160 transmits description of the second event 175 as a second 
event description 180 to the log process 120 via the network 190. However, it is possible 
that means other than the network 190. as for example storing data on a magnetic disk 
and physically transferring the disk to the log computer system 115. could be used to 
transmit the second event description 180 to the log process 120. The log process 120 
stores the second event description 180 in the data log 105. In a representative 
embodiment, the second operating system 165 is intrinsically different from the first 
operating system 135. In another representative embodiment, the second operating 
system 165 is intrinsically different from tiie log operating system 125. And in yet 
another representative embodiment, the second operating system 165 is intrinsically 
different from the first operating system 135 and intrinsically different from the log 

operating system 125. 

Figure 2 is a drawing of another distributed computer system 100 having 
5 centralized data log 105 as described in various representative embodiments of the 
present patent document. In a second preferred embodiment as shown in figure 2, the 
data log 105 is stored in tiie computer memory 110 on the log computer system 115. The 
log process 120 executed by log operating system 125 stores data in the data log 105. 
The first computer process 130 is executed by the first operating system 135 on the first 
iO computer system 140. When the first computer process 130 detects tiie first event 145 



not shown in figure 2, the first computer process 130 transmits description of the first 
event 145 as the first event description 150 to the log process 120 via the network 190. 
However, it is possible that means other than the network 190. as for example storing 
data on a magnetic disk and physically transferring the data to the log computer system 
5 115, could be used to transmit the firet event description 150 to the log process 120. The 
log process 120 stores the first event description 150 in the data log 105. In the second 
preferred embodiment, the log operating system 125 is intrinsically different firom the 
first operating system 135. 

Also shown in figure 2 is an additional log system process 260 executed by the 
10 log operating system 125 on the log computer system 115. When the additional log 
process 260 detects an additional event 275 not shown in figure 2, the additional log 
system process 260 transmits description of the additional event 275 as an additional 
event description 280 to the log process 120. The log process 120 stores the additional 
event description 280 in the data log 105. In a representative embodiment, the additional 
1 5 log system process 260 transmits the additional event description 280 to the log process 
120 via the network 190. In another representative embodiment, the additional log 
system process 265 transmits the additional event description 280 to tiie log process 120 
via paths internal to the log computer system 115. 

Figure 3 is a drawing of an entry for a data structure 300 for tiie centralized data 
20 log 105 as described m various representative embodiments of the present patent 
document. The entry for the data structure 300 comprises a system identification 310 and 
a component identification 315. The component identification 315 identifies the 
component which detected tiie event logged, and tiie system identification 310 identifies 
tiie system on which that component is located. The data stmcture 300 fiirther comprises 
25 event time 320 which specifies the clock time at which tiie event occuixed, and event data 
330 which provides information to the log user regarding the nature of tiie event detected 
and subsequentiy recorded in tiie data log 105. Otiier items could be included in tiie data 
sti^cture 300, as for example operating system and computer system identification. Also, 
tiie event time 320 could include tiie date of tiie event, as well as tiie time of day at which 
30 tiie event occurred. Data stiructure 300 entiies into tiie centralized data log 105 could be 
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entered mto the centralized data log 105 in event time 320 order or as received by the 
centraUzed data log 105. They could further be grouped by component identification 315 
and/or system identification 310. In practice, the component could be. for example, a 
software agent, and the system could be the physical system hardware on which the 

software agent is operatii^. 

Figure 4 is a flow chart of a method 400 for writing to the centralized data log 105 
of figure 1 as described in various representative embodiments of the present patent 
document. The method 400 of figure 4 could be implemented as software processes on 

distributed computer system 100. 

In block 410 the first computer process 130 executed by the first operating system 
135 detects the first event 145. Block 410 then transfers control to block 420. 

In block 420 the.first computer process 130 prepares the first event description 
150. Block 420 then transfers control to block 430. 

In block 430 the first event description 150 is transmitted to the log process 120 
executed on the log computer system 115 by the log operating system 125. Block 430 

then transfers control to block 440. 

In block 440 the log process 120 receives the first event description 150 from the 
first computer process 130. Block 440 then transfers control to block 450. 

In block 450 the log process 120 stores the event information in the data log 105. 
Block 450 is the terminating step in the method. 

While the method 400 of figure 4 has been described in terms of the first 
computer process 130 executed by the first operating system 135 on the first computer 
system 140. it will be understood that the identical method can be followed for the second 
computer process 160 of figure 1 executed by the second operating system 165 on the 
5 second computer system 170, as weU as for the additional log system process 260 of 
figure 2 executed by the log operating system 125 on the log computer system 115. 

In representative embodiments the present patent document describes methods 
wherein data can be logged across systems of diverse implementations to a log on any 
kind of system. Thus, tiie implementations provide two primary advantages over the 
30 prior art: (1) logging of log data across different computer platfomis and (2) aggregation 



of log data into one location. This aggregation mechanism is designed to allow multiple 
elements operating on diverse kinds of systems to log to a central system, which itself 
may be on any kind of system. An administrator can monitor the operation of a 
distributed system, as for example a distributed management tool, whose components 
may be distributed across a network and operating on multiple, geographically dispersed 
computers. 

While the present invention has been described in detail in relation to preferred 
embodiments thereof, the described embodiments have been presented by way of 
example and not by way of limitation. It will be understood by those skilled in the art 
that various changes may be made in the form and details of the described embodiments 
resulting in equivalent embodiments that remain within the scope of the appended claims. 
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What is claimed is: 

1 . A computer program storage medium readable by a computer, tangibly 
2 embodying a computer program of instructions executable by the 

computer to perform method steps for storing event data [3301 in a 
4 centralized data log [lOSJ in a distributed computer system [100], the 

steps comprising: 

6 

detecting a first event [1451 by a first computer process [ISO], 
8 wherein the first computer process [1301 is executable by a first 

operating system [135]; 

10 

preparii^ a first event description [150], wherein the first event 
1 2 description [150] describes the first event [145] ; 

transmitting the first event description [150] to a log process 
[120], wherein the log process [120] is executable by a log 
operating system [125], wherein the log operating system [125] 
differs intrinsically in type from the first operating system [135]; 

receiving the first event description [150] by the log process 
[120]; and 
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storing the first event description [150] in the centralized data log 
22 1105]. 

2. The computer program storage medium as recited in claim 1 , providing 
2 the first event description [150] is transmitted fi-om the first computer 

process [130] to the log process [1201 'via a network [190], 

3. The computer program storage medium as recited in claim 1, the steps 
2 fiirther comprising: 

4 detecting a second event [175] by a second computer process [160], 

wherein the second computer process [160] is executable by a second 
6 operating system [165]; 

8 preparing a second event description [180], wherein the second event 



description [180] describes the second event [175]; 

10 

transmitting the second event description [180] to the log process [120]; 

12 

receiving the second event description [180] by the log process [120]; and 

14 

storing the second event description [180] in the centralized data log 
16 |105]. 



4. The computer program storage medium as recited in claim 3, providing 
the second event description [180] is transmitted firom the second 
computer process [160] to the log process [120] via a network [190]. 

5. The computer program storage medium as recited in claim 3, providing 
the second operating system [165] differs intrinsically in type firom the 



first operating system [135]. 



The computer program storage medium as recited in claim 3, providing 
the second operating system (1651 differs intrinsically in type from the 
log operating system 1125]. 

A computer readable memory device [lioi encoded with a data structure 
13001 for transferring data between a first computer process [ISO] and a 
log process 1120], the first computer process [130] having functions for 
transferring an event description [150] to the log process 11201, the 
functions having associated parameters, the data structure pOOJ having 
entries, each entry containing: 

event data [3301, wherein the event data (3301 describes a detected event 
[1451; 

a component identification [3151, wherein the component identification 
(3151 identifies a component detecting the event (1451 and wherein the 
event (1451 is described by the event description [1501; and 

a system identification [3101, wherein the system identification [3101 
identifies a system, wherein '^the system comprises the component 
detecting the event [1451. 

The computer readable memory device [110] as recited in claim 7, 
providing the data structure [300] further contains an event time (3201, 
v^erein the event time [320] is the clock time of event [145] occurrence. 

A distributed computer system [100] for storing data, comprising: 



a first computer process [130] executable by a first operating system 
[1351; 



a log process [120] executable by a log operating system [125], wherein 
the log operating system [125] differs intrinsically from the first operating 
system [135]; and 

a centralized data log [1051 stored in a computer memory [110], wherein 
the first computer process [130] comprises functions for transmitting a 
first event description [150] to the log process [120] and wherein the log 
process [120] comprises functions for receiving the first event description 
[150] from the first computer process [130] and for storing the first event 
description [150] in the data log [105]. 

The distributed computer system [100] as recited in claim 9, wherein the 
first event description [150] is transmitted from the first computer process 
[130] to the log process [120] via a network [190]. 
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